[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu May 21 20:41:20 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2edf328c by Salvatore Bonaccorso at 2026-05-21T21:40:52+02:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -96,15 +96,15 @@ CVE-2026-48207 (Deserialization of untrusted data in Apache Fory PyFory. PyFory'
CVE-2026-45760 ((Externally Controlled Reference to a Resource in Another Sphere), (Au ...)
TODO: check
CVE-2026-45255 (When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi net ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45254 (In the case of the cap_net service, when a key present in the old limi ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45253 (ptrace(PT_SC_REMOTE) failed to properly validate parameters for the sy ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45252 (When a fusefs file system implements extended attributes, the kernel m ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45251 (A file descriptor can be closed while a thread is blocked in a poll(2) ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-45208 (A time-of-check time-of-use vulnerability in the Apex One/SEP agent co ...)
NOT-FOR-US: Trend Micro
CVE-2026-45207 (An origin validation vulnerability in the Apex One/SEP agent could all ...)
@@ -116,7 +116,7 @@ CVE-2026-39593 (Missing Authorization vulnerability in VillaTheme HAPPY allows E
CVE-2026-39531 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-39461 (libcasper(3) communicates with helper processes via UNIX domain socket ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2026-36189 (Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrust ...)
TODO: check
CVE-2026-34930 (An origin validation vulnerability in the Apex One/SEP agent could all ...)
@@ -132,19 +132,19 @@ CVE-2026-34926 (A directory traversal vulnerability in the Apex One (on-premise)
CVE-2026-2740 (Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecu ...)
NOT-FOR-US: Zoho
CVE-2026-28764 (MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow ...)
- TODO: check
+ NOT-FOR-US: MediaInfoLib
CVE-2026-27393 (Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Ex ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-27349 (Exposure of Sensitive System Information to an Unauthorized Control Sp ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-22880 (Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3. ...)
- TODO: check
+ NOT-FOR-US: Mattermost Mobile Apps
CVE-2026-1816 (Improper restriction of excessive authentication attempts vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: Mobile Application
CVE-2026-1815 (Insufficient session expiration vulnerability in Turkiye Electricity T ...)
- TODO: check
+ NOT-FOR-US: Mobile Application
CVE-2026-0393 (The affected product may expose credentials remotely between low privi ...)
- TODO: check
+ NOT-FOR-US: CODESYS
CVE-2025-71217 (An origin validation error vulnerability in the Trend Micro Apex One ( ...)
NOT-FOR-US: Trend Micro
CVE-2025-71216 (A time-of-check time-of-use vulnerability in the Trend Micro Apex One ...)
@@ -162,9 +162,9 @@ CVE-2025-71211 (A vulnerability in the Trend Micro Apex One management console c
CVE-2025-71210 (A vulnerability in the Trend Micro Apex One management console could a ...)
NOT-FOR-US: Trend Micro
CVE-2025-13479 (Authorization bypass through User-Controlled key vulnerability in PosC ...)
- TODO: check
+ NOT-FOR-US: QR Menu
CVE-2025-13477 (Exposure of private personal information to an unauthorized actor, Ins ...)
- TODO: check
+ NOT-FOR-US: WifiBurada
CVE-2026-46473 (Authen::TOTP versions before 0.1.1 for Perl generate secrets using ran ...)
NOT-FOR-US: Authen::TOTP Perl module
CVE-2026-43498 (In the Linux kernel, the following vulnerability has been resolved: a ...)
@@ -459,45 +459,45 @@ CVE-2026-47099 (TeleJSON prior to 6.0.0 contains a DOM-based cross-site scriptin
CVE-2026-45444 (Unrestricted Upload of File with Dangerous Type vulnerability in WP Sw ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-40165 (authentik is an open-source identity provider. Versions 2025.12.4 and ...)
- TODO: check
+ NOT-FOR-US: authentik
CVE-2026-40102 (Plane is an open-source project management tool. In versions 1.3.0 and ...)
- TODO: check
+ NOT-FOR-US: Plane
CVE-2026-40094 (nimiq-blockchain provides persistent block storage for Nimiq's Rust im ...)
- TODO: check
+ NOT-FOR-US: nimiq-blockchain
CVE-2026-40092 (nimiq-blockchain provides persistent block storage for Nimiq's Rust im ...)
- TODO: check
+ NOT-FOR-US: nimiq-blockchain
CVE-2026-39960 (Mantis Bug Tracker (MantisBT) is an open source issue tracker. Version ...)
TODO: check
CVE-2026-39850 (Yii 2 is a PHP application framework. Versions 2.0.54 and prior contai ...)
TODO: check
CVE-2026-39405 (Frappe Learning Management System (LMS) is a learning system that help ...)
- TODO: check
+ NOT-FOR-US: Frappe Learning Management System (LMS)
CVE-2026-39352 (Frappe is a full-stack web application framework. Versions prior to 15 ...)
- TODO: check
+ NOT-FOR-US: Frappe
CVE-2026-39311 (Trilium Notes is a cross-platform, hierarchical note taking applicatio ...)
- TODO: check
+ NOT-FOR-US: Trilium Notes
CVE-2026-39310 (Trilium Notes is a cross-platform, hierarchical note taking applicatio ...)
- TODO: check
+ NOT-FOR-US: Trilium Notes
CVE-2026-35016 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35015 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35014 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35013 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35012 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35011 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35010 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35009 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35008 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-35007 (Open ISES Tickets before 3.44.2 contains a reflected cross-site script ...)
- TODO: check
+ NOT-FOR-US: Open ISES Tickets
CVE-2026-33137 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
NOT-FOR-US: XWiki
CVE-2026-2813 (ArcGIS Server contains an input validation weakness in the login redir ...)
@@ -507,7 +507,7 @@ CVE-2026-2812 (ArcGIS Server contains an improper authentication vulnerability i
CVE-2026-2734 (In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST ...)
NOT-FOR-US: mlflow
CVE-2026-26028 (CryptPad is an end-to-end encrypted collaborative office suite. In ver ...)
- TODO: check
+ NOT-FOR-US: CryptPad
CVE-2026-24218 (NVIDIA DGX OS contains a vulnerability in the factory provisioning pro ...)
NOT-FOR-US: NVIDIA
CVE-2026-24217 (NVIDIA BioNeMo Core for Linux contains a vulnerability where a user co ...)
@@ -721,7 +721,7 @@ CVE-2026-24425 (Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox
- php-twig 3.26.0-1
NOTE: https://symfony.com/blog/cve-2026-24425-possible-sandbox-bypass-when-using-a-source-policy
CVE-2026-22554 (MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vu ...)
- TODO: check
+ NOT-FOR-US: MediaInfoLib
CVE-2026-22315 (Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client L ...)
NOT-FOR-US: Meona
CVE-2026-22314 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
@@ -755,7 +755,7 @@ CVE-2025-31973 (HCL BigFix Service Management (SM) is susceptible to a Configur
CVE-2025-11954 (Cross-Site request forgery (CSRF) vulnerability in Sitemio Information ...)
NOT-FOR-US: Sitemio
CVE-2023-7346 (Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivat ...)
- TODO: check
+ NOT-FOR-US: Ledger Bitcoin app
CVE-2026-41073
- request-tracker5 5.0.10+dfsg-1
- request-tracker4 <unfixed>
@@ -1245,9 +1245,9 @@ CVE-2026-31070 (The LalanaChami Pharmacy Management System (commit 5c3d028) allo
CVE-2026-31069 (BillaBear (all versions prior to Jan 2026) contains a SQL Injection vu ...)
NOT-FOR-US: BillaBear
CVE-2026-30118 (scalar/astro v0.1.13 was discovered to contain a Server-Side Request F ...)
- TODO: check
+ NOT-FOR-US: scalar/astro
CVE-2026-30117 (scalar/astro v0.1.13 was discovered to contain an arbitrary file uploa ...)
- TODO: check
+ NOT-FOR-US: scalar/astro
CVE-2026-2955 (The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is v ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2611 (In MLflow version 3.9.0, the MLflow Assistant feature introduced impro ...)
@@ -1289,25 +1289,25 @@ CVE-2026-24142 (NVIDIA TRT-LLM for any platform contains a deserialization vulne
CVE-2025-70950 (An issue in gohttp commit 34ea51 allows attackers to execute a directo ...)
TODO: check
CVE-2025-61081 (In BYD Atto3, an attacker can obtain an authentication key through Bru ...)
- TODO: check
+ NOT-FOR-US: BYD Atto3
CVE-2025-57798 (Joplin is an open source note-taking and to-do application that organi ...)
TODO: check
CVE-2025-51427 (An issue was discovered in ModelScope 1.25.0 allowing attackers to exe ...)
- TODO: check
+ NOT-FOR-US: ModelScope
CVE-2025-40904 (A Stored HTML Injection vulnerability was discovered in the Smart Poll ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40903 (A Stored HTML Injection vulnerability was discovered in the Schedule R ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40902 (A Stored HTML Injection vulnerability was discovered in the Users func ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40901 (A Stored HTML Injection vulnerability was discovered in the Credential ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-40900 (An Angular template injection vulnerability was discovered in the Repo ...)
- TODO: check
+ NOT-FOR-US: Guardian
CVE-2025-33255 (NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server ...)
NOT-FOR-US: NVIDIA
CVE-2025-15645 (Ledger Nano X, Flex, and Stax devices contain a denial of service vuln ...)
- TODO: check
+ NOT-FOR-US: Ledger Nano X, Flex, and Stax devices
CVE-2025-15369 (The Xpro Addons \u2014 140+ Widgets for Elementor plugin for WordPress ...)
NOT-FOR-US: WordPress plugin
CVE-2025-14575 (An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS b ...)
@@ -1315,7 +1315,7 @@ CVE-2025-14575 (An Uncontrolled Search Path Element vulnerability in the OpenSSL
CVE-2024-36343 (Improper input validation in the System Management Mode (SMM) communic ...)
TODO: check
CVE-2023-7345 (Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6 ...)
- TODO: check
+ NOT-FOR-US: Ledger
CVE-2026-29518 (Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TO ...)
{DSA-6282-1 DLA-4591-1}
- rsync 3.4.3+ds1-1
@@ -1668,7 +1668,7 @@ CVE-2026-24792 (in OpenHarmony v6.0 and prior versions allow a remote attacker a
CVE-2026-22810 (Joplin is an open source note-taking and to-do application that organi ...)
- joplin <itp> (bug #931306)
CVE-2026-22069 (A local privilege escalation vulnerability exists in O+ Connect becaus ...)
- TODO: check
+ NOT-FOR-US: O+ Connect
CVE-2026-21789 (HCL Connections contains a broken access control vulnerability that ma ...)
NOT-FOR-US: HCL
CVE-2025-65954 (SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in t ...)
@@ -5634,7 +5634,7 @@ CVE-2025-35969 (Uncontrolled search path for some Intel(R) Server Firmware Updat
CVE-2025-27723 (Use after free for some Linux kernel driver for the Intel(R) Ethernet ...)
TODO: check
CVE-2025-12659 (The affected applications contains a memory corruption vulnerability w ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2024-54017 (A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All v ...)
NOT-FOR-US: Siemens
CVE-2025-54518 (Improper isolation of shared resources within the CPU operation cache ...)
@@ -6377,7 +6377,7 @@ CVE-2025-65415 (docuFORM Managed Print Service Client 11.11c is vulnerable to a
CVE-2025-63750
REJECTED
CVE-2025-61314 (A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_or ...)
- TODO: check
+ NOT-FOR-US: docuForm
CVE-2025-61313 (A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_ma ...)
NOT-FOR-US: docuForm
CVE-2025-61312 (A reflected cross-site scripted (XSS) vulnerability in the acc-menu_pr ...)
@@ -335965,7 +335965,7 @@ CVE-2023-30061 (D-Link DIR-879 v105A1 is vulnerable to Authentication Bypass via
CVE-2023-30060
RESERVED
CVE-2023-30059 (An insecure direct object reference in MK-Auth 23.01K4.9 allows attack ...)
- TODO: check
+ NOT-FOR-US: MK-Auth
CVE-2023-30058 (novel-plus 3.6.2 is vulnerable to SQL Injection.)
NOT-FOR-US: novel-plus
CVE-2023-30057 (Multiple stored cross-site scripting (XSS) vulnerabilities in FICO Ori ...)
@@ -343739,7 +343739,7 @@ CVE-2023-27755 (go-bbs v1 was discovered to contain an arbitrary file download v
CVE-2023-27754 (vox2mesh 1.0 has stack-overflow in main.cpp, this is stack-overflow ca ...)
NOT-FOR-US: vox2mesh
CVE-2023-27753 (An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows att ...)
- TODO: check
+ NOT-FOR-US: MK-Auth
CVE-2023-27752
REJECTED
CVE-2023-27751
@@ -354238,7 +354238,7 @@ CVE-2023-24217 (AgileBio Electronic Lab Notebook v4.234 was discovered to contai
CVE-2023-24216
RESERVED
CVE-2023-24215 (Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G ...)
- TODO: check
+ NOT-FOR-US: NOVUS AirGate 4G firmware
CVE-2023-24214
RESERVED
CVE-2023-24213
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2edf328c3130150e99790e8d92483838ee664dd9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2edf328c3130150e99790e8d92483838ee664dd9
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260521/dc2d9fd4/attachment.htm>
More information about the debian-security-tracker-commits
mailing list